Topics - mrzaz

Small question:Will the presentation and presentation PDF used in the "pfSense Hangout - June 2017 - Advanced Captive Portal" session be available in the Hangout Archive soon ?Could not find it there. And the hangout was almost a week ago. I could not attend the hangout but would like to see it afterwards.

I have found that the script for taking backup and more specific the "donotbackuprrd=no" stopped working between 2017-02-01 -> 2017-03-01 timeframe(which is the monthly backup schedule) where it stopped backup the XML with full RRD.

I started to check the script and made a change from "donotbackuprrd=no" to "donotbackuprrd=0" and then it started working again.Please update the WIKI page with this. Possible a note that on some platforms "=0" is needed instead of "=no".

All my backups taken with donotbackuprrd=no does NOT contain RRD data but when I changed to "donotbackuprrd=0" it started working directly.Script running on Synology DS713+ with DSM 6.1-15047 Update 1

#!/bin/ashBACKUPDIR="/volume1/BACKUPNEW/pfsensebak/backup/daily"USERNAME="<removed>"PASSWORD="<removed>"PORT="80"SITES="x.x.x.x"ZIP="/usr/bin/zip"FIND="/usr/bin/find"RMFILE="/bin/rm"WGET="/usr/bin/wget"BACKUPDAYS="30"RMFILE="/bin/rm"cd /volume1/web_backend/toolsfor site in $SITES

#!/bin/ashBACKUPDIR="/volume1/BACKUPNEW/pfsensebak/hansbuhlin/daily"USERNAME="<removed>"PASSWORD="<removed>"PORT="443"SITES="x.x.x.x"RAR="/volume1/web_backend/tools/rar"FIND="/usr/bin/find"RMFILE="/bin/rm"WGET="/usr/bin/wget"BACKUPDAYS="30"RMFILE="/bin/rm"cd /volume1/web_backend/tools/volume1/web_backend/tools/rarfor site in $SITES

Have seen a problem for a long time that has still not been resolved.I have Huricane IPv6 GIF and an Interface for this.If I configure the interface with IP/mask/gateway the config is shown in the gui OK.BUT then after a few days sometimes weeks suddenly the config is gone in the GUI but also in the XML. But traffic still works OK.

- Happens without reboot. Spontaniously after some time.- Works for a few days/weeks where IPv6 config is seen as normal in GUI but then suddenly it is gone but traffic still works.- When it occur, ping to remote site still works. (see ping below)- See screenshot with dashboard shoing that IPv6 traffic is working even if no config is seen in the GUI.- Seen also in previous versions upto and including 2.3.3- Has happened numerous times.- Also in XML config for interfaces the data is gone. (See example below)- Seems like somehow pfSense screws something up and overwrites/removes some of the settings in the IPv6 interface. But under the hood, in the OS config, it is still configured and working.- Never seen it on any other IPv4 interface. It is always the same IPv6 interface.

During investigation of another problem I think I may have stumbled on a possible bug related to DNS Resolver and Forwarding mode.After reviewing the DNS Hangout with Jim P I thought I had it covered but saw a strange behaviour during the testing.

According to how I have understood the whole is:- DNS Resolver in Non-Forwarding mode will do a lookup to available root servers on all available WAN.- DNS Resolver in Forwarding mode will do lookup to the forwarding DNS IP defined for each WAN gateway.eg. The following is defined in General - DNS Server Settings:DNS Server 1 8.8.8.8 WANGW - wan - 87.x.x.1DNS Server 2 8.8.4.4 WAN2MOBILEGW - opt3 - 192.168.125.1

This will send a DNS request to 8.8.8.8 out the WANGW and a DNS request to 8.8.4.4 out on WAN2MOBILEGW.Of course, the "Outgoing Network Interfaces" in DNS Resolver must have the NIC for WANGW and WAN2MOBILEGW selected. (WAN + WAN2MOBILE in my case)

What I have seen is that even if I define one DNS to only one Gateway, the request is sent to both DNS IPs definedon all interfaces that has been defined in DNS Resolver as outgoing.

eg. 8.8.8.8 and 8.8.4.4 is sent to both WAN and WAN2instead of8.8.8.8 -> WAN8.8.4.4 -> WAN2even with this config, it will send out DNS requests to both 8.8.8.8 and 8.8.4.4

So there should be static routes forcing the DNS out the correct interface but still I see both 8.8.8.8 and 8.8.4.4 on ue1 in the example.

After some more tests I had to insert a rule that captured the IP 8.8.8.8 / 8.8.4.4 and forced it through the "default" gateway and not DualGW Gateway group.So after all, it may not be a bug BUT think this should be handled somehow as this could be a trap that is easy to fall in and difficult to spot.

- I have defined one DNS on each WAN (8.8.8. and WAN2mobile (8.8.4.4)- I have tried both Forwarding and Non-Forwarding mode on DNS Resolver. (but will use the Forwarding mode as it will work better with MultiWAN according to Jim Pingle)- I have tied the outgoing interfaces in DNS Resolver to WAN + WAN2. (to allow DNS traffic on any of these interfaces)- I have changed the rules to use the Gateway Group in for all the relevant rules.

The problem I am struggeling with is:How can I prevent the system to NOT send out any DNS requests on WAN2 until this interface becomes active at the failover scenario. (Tier2 becomes active)I have tried with and without the "Default gateway switching" but no difference. (Think this should be off, when doing "Gateway Group" AFAIK ?!)And I do want to use pfSense as resolver for the clients as I want to be able to use the Host override function for local lookups of local services.

I would like the WAN2 interface to be almost silent and only possible send out some local ARP requests, some local Broadcasts and possible some unfrequent pings by dpinger to verify connectivity of the interface. I have already disabled all the SSDP packets on the interface today with rules.

As it is now, I am seeing a lot of DNS requests originating from the pfSense WAN2mobile IP-interface IP towards external DNS servers and it is NOT triggered by any local LAN PC as the only PC currently using this router is my desktop PC and I have done a packet captureon the incoming LAN (in pfSense) using promiscious mode and could not see any device trigging the DNS requests seen out on WAN2.

Am i doing something wrong or is it a way to use pfSense "DNS Resolver" in a MultiWAN GatewayGroup scenario but only having it sendout any DNS requests to WAN2 when Tier2 becomes active.

I want to avoid any un-necesary traffic on the WAN2 interface when it is only idling waiting to take over in a failover scenario.As the subscription has a cap limit / month on the 4G I do not want to waste any traffic.

Best regardsDan LundqvistStockholm, Sweden

UPDATED:Another strange thing is that If I have Forwarding mode set in DNS Resolver and have 8.8.4.4 IP defined as DNS for WAN2 and 8.8.8.8 for WAN, I see DNS forwarding to both 8.8.8.8 and 8.8.4.4 on the WAN2 interface.

What I could see in the /etc/resolv.conf is:nameserver 127.0.0.1search mrzaz.comnameserver 8.8.8.8nameserver 8.8.4.4

I did a small test where I removed all DNS entries in General and then all DNS lookup stopped working from clients.$ cat /etc/resolv.confnameserver 127.0.0.1search mrzaz.com

Then I added IPs again without selecting any gateways and DNS lookup started working again even without any gateways selected.$ cat /etc/resolv.confnameserver 127.0.0.1search mrzaz.comnameserver 8.8.8.8nameserver 8.8.4.4

- How is the DNS defined in General actually tied to a specific gateway i FreeBSD when defined in pfSense?

Seems like even if I define one DNS to only one Gateway, the request is sent to both DNS IPs defined on all interfaces that has been defined in DNS Resolver as outgoing.

eg. 8.8.8.8 and 8.8.4.4 is sent to both WAN and WAN2instead of8.8.8.8 -> WAN8.8.4.4 -> WAN2

Also I still do not know how to limit an outgoing request based on the Gateway group Tier1 or 2 selection mode. (eg. only send DNS on interface that is currently active in the group)

Hello,I have a strange behaviour that I can't figure out what it originates from.

I have 3 WAN, where WAN3 is going through a mobile broadband dongle.

WAN1 is the main outoing, but WAN2 is used, by rules, for outgoing from some machines. (outgoing loadbalancing)WAN3 is not set as default and do not have any rules pointing traffic to this interface. (at the moment)

I have DNS Forwarder setup and 2 DNS IPs defined pointing to WAN1 under general.I have checked and only dnsmasq and NOT unbound is enabled. (unbound is not even in the service table as it is switched off)

I also have the following:DNS Query ForwardingQuery DNS servers sequentially = TRUE(If this option is set, pfSense DNS Forwarder (dnsmasq) will query the DNS servers sequentially in the order specified (System - General Setup - DNS Servers), rather than all at once in parallel.)

According to this, only the DNS servers defined should be queryd and NOT root server 8.8.8.8

BUT, what I see when doing packet capture is that something still generates DNS traffic from the pfSense WAN3 IP to google root DNS 8.8.8.8 and I can not figure out what and also HOW as it should not be possible depending how pfsense is configured.

Anyone that have any idea on HOW and WHY this requests goes out and from WHAT ?

I have been trying to use pfSense 2.3.2 Bootstrap webgui in a mobile Samsung S7 Edge and have tested both Internal browser and also Chromebut have found a problem related to expandning long menus and scrolling.

What happens is that the browser, when in "mobile mode" does not recognize that the screen is "getting longer" when a large menu is expandedso when trying to scroll down the whole screen it stops prematurely and I am not able to scroll down to the bottom to see all items in the menu.

I have tried to use thew "Get PC version" in internal but no god, but managed to use "Get desktop version" in Chrome but with the disadvantagethat it then zooms out to the whole screen and that contradicts the whole scaling capability of Bootstrap. That it would scale well regardless of display size.

All else scaling to mobile devices works perfect in Bootstrap but not the menus. These needs som rework for optimal usage on small mobile devices.

Screenshot_20160904-121238.png Screenshot when only expanding the menu.Screenshot_20160904-121247.png Screenshot when expanding the "Services" menu and scrolling page to bottom. As seen missing 6 entries in the menu.Screenshot_20160904-121255.png Screenshot when expanding the "Diagnostics" menu and scrolling page to bottom. As seen missing 21 entries in the menu.

If needed, I can write a bug report in redmine ?

Bets regardsDan LundqvistStockholm, Sweden

UPDATE: I have now tested the same in Windows and using FireFox and Chrome and minimize the browser window so it scales down to 1 column modeand I see the same problem.... If I select menu and then a menu item with long list I am not able to scroll down to the last item. Same as for the mobile.The scroller, seems to scroll only the underlying dashboard page and not the full page and it has to do with when the user has selected "Top Navigation = Fixed".

This is a bit catch22. I wonder if it is possible to dynamically change the TopNavigation from Fixed to "Scrolls with Page" when it switches to 1 column mode so admins moving from PC to iPad to Mobile don't need to sacrify and set "Scroll" even if they want Fixed when on Desktop PC ?

Or at least add an option so the users can select if they want this behaviour or not.

I am trying to setup a plain failover scenario with a normal WAN + USB 3G modem PPP but have problem that router does not change default GW to Tier2 during failover but still sticking to WAN GW (Tier1).

I have a "ppp0 /dev/cuaU0.0" defined and an interface "MobileWAN" as IPV4 type PPP with correct APN.If I check the interfaces I get the following:

I have verified to traceroute using the Src IP and it seems to work OK. It goes out the PPP route instead of WAN.

In the Routing/Gateways Tab I have added a working IP for the MonitorIP as it is normally cloaked with ppp.I have set the weight to "2". (And weight "1" on the WAN Gateway). WAN Gateway is set as "Default Gateway".

I have created a Gateway Group called "FailoverMOBILE" and selected WAN gateway as "Tier1" and MOBILEWAN_PPP as "Tier2"and the trigger level (right now) to "Member Down".

I have also added 2 DNS addresses on the MOBILEWAN under General Setup as well as added MOBILEWAN to the outgoing NIC in DNS Resolver.

If I then check Status/Gateways both WAN + MOBILEWAN_PPP shows RTT and Loss figures OK and Status is ONLINE on both.If I then check Status/Gateway Groups, Tier1 WAN ONLINE and Tier2 MOBILEWAN_PPP ONLINE.If I check the Routes table, WAN GW is the "default".

I then try to trigger a fault by disconnecting the WAN cable and then the WAN in Gateway and Gateway Groups goes OFFLINE.BUT, even after waiting minutes the "default" gateways in Routes still points to WAN GW IP.And when trying traffic from inside LAN i get "Destination host unreachable" from pfSense machine. (which is normal as the GW still points to WAN)

If I then force the MOBILEWAN_PPP as "Default Gateway" in the Gateways tab manually, then traffic resumes and i can surf from inside igain. (using MOBILEWAN GW)

Question is why the router does not change the default gateway to MOBILEWAN_PPP when the WAN Gateway is marked OFFLINE?Anyone who has an idea?

The IGMP Proxy that is included in the pfSense is good with handling local LANs physically tied to a defined NIC.However, it does not work well in an IPSec Site2Site routed environment and also not good in an OpenVPN Peer2Peer Site2Site routed environment.

- For IPSec, you don't get any NIC to tie in as Downstream. (AFAIK)

- For OpenVPN in Peer2Peer SharedKey, you will have both the routed net (routing table) and also the transport /30 net. If you connect an interface to the ovpnsX network port, it will only place the packets from the upstream on the traffic net and not on the LAN in the destination side. (AFAI have seen when doing tests)

The only thing that works is when you Setup a OpenVPN Server (and create an interface tied to this ovpns) and connect with a normal client where the client is getting it's real IP on the same net as the pfSense OpenVPN adapter. (eg. pfSense on 192.168.123.1 and PC client connected with OpenVPN client get 192.168.123.2)This I have tried working, but could not get the site2site version working. The SSDP packets doesn't go all the way to the destination LAN but gets stuck halfway.

The uPnP Proxy works in another way where it sets up a "Layer 3" routeable connection between 2 or more locationsand let the system take care of the transport between the entities. Then the proxy extract the encapsulated SSDP and drop it out on the local LAN. (similar to what IGMP proxy does)

I would really like the uPnp Proxy compiled as a package, but don't know if I have the skills to make the existinginto a working package. !?

I have one IPSec connection (dest 2) with two Phase 2 nets (192.168.120.0 and 192.168.121.0) going over the same Phase1 connection.

Previously in 2.1.5, this was shown as 4 entries in the Dashboard IPSec table. (Basically one each representing one phase2 connection each.)If one phase 2 has gone down, then one entry in the Dashboard IPSec table was down and it was also seen as one down in the Overview screen in the Dashboard IPSec table.

In 2.2 RC, there is still 4 entries in the Dashboard IPSec table and it looks exactly the same as in 2.1.5

HOWEVER now it show all four entries as green "UP", even if I know that one Phase2 is NOT up.If I check the IPSec Status page and expand the "Show child SA entries", the "192.168.121.0" net is not up.Feels to me that this is a bug in the 2.2 RC Dashboard IPSec widget.

(192.168.121.0 net is the OpenVPN Server for roadwarriors and is not always in state where someone is connected = No ping/traffic from this interface over the IPSec.)

After the upgrade the system has auto-created a dynamic IPv4 Gateway called "TUNNELBROKER_TUNNELV4"(which is tied with IPv4) for my TUNNELBROKER IPv6 interface. But as said, this interface is a pure IPv6 and NOT IPv4 so this dynamic interface should not have been created at all.

The only way a dynamic gateway should be created is if I, on the TUNNELBROKER interface, define IPv4 as DHCP.

It is not possible to remove (only possible to disable). If I disable it and then remove it, system recreates it again.

I have verified this on 2 different installations wher one never have had bind installed prior.

What I found is that the problem occurs when "Forwarder IPs" is defined.

After inspecting the actual named.conf file in "/cf/named/etc/namedb/named.conf" I found a faultin row22: "forwarders { xx.xx.xx.xx };" NOTE: (i have left out the actual IP).

The problem is that all values should end with a semicolon after the value also inside.eg.forwarders { xx.xx.xx.xx };SHOULD BEforwarders { xx.xx.xx.xx; };

When I changed this in my installation, bind started up just fine and is now working OK.As the row above IS having my sitespecific DNS IP inserted it is not a fault caused by default bind files shipped with package but is modified by the local pfSense installation/package.

Could responsible for the bind package, please update the package and release a working one.

For remedy on existing installations to get bind working, do the following:

NOTE! This modification must be done EVERYTIME you modify anything in the pfSense Bind GUI as it savesthe file again with the faulty missing semicolon. This means even if you just disable/enable the service.Any modification that requires the Save button to be pressed will remove the semicolon and it needsto be inserted manually again and restart service.

UPDATED 2014-11-10:I have reviewed the code and there is no validation of the input whatsoever for the "Forwarders" entry so it will accept anything including text. (this will of course not work with BIND)No validation/forming that the data to be written to the named.conf is in the correct format is done. The values from the form is written straight into to named.conf file.I think this is also valid for other multi-edit fields as well on other pages.

This will make it easier to workaround though as it is now (short term) possible to write it in the correct format (as bind wants it) in the config page.Write it in the following form:

I just want to get the latest status about the IPSec support in 2.1_RC0.

I have several "normal" tunnels, both IPv4 and IPv6 up and running on Static->Static routersbut is now faced with a problem that I need to connect to a pfSense router that is not allowed to get staticIPs and would like to avoid the "Mobile Client/Roadwarrior" setup as I still wants to tunnelthe other ends internal net.

Is it possible to setup an IPSec Tunnel StaticIP_Router1 -> DynamicIP_Router2 using other PeerIdentifier type than IPand using a DynamicIP hostname in the "Remote gateway" entry?

If course, there could be temporary problems if R2 is forced to change IP and the tunnel will go downtemporary until it could re-initialize (the Dynamic IP hostname updates to new IP and the cached is thrown from DNS-cacheand tunnel inits again) but we could live with that.

I have seen other routers having this feature working so it should be possible and as the whole IPSec stackhas largely been rewritten in 2.1 I was hoping for some better support in this area.